Ali Yazdani - Principal Product Security Engineer

Q: Where is Ali based?

Ali is based in Berlin, Germany and can operate in on-site , hybrid , and remote work models.

Q: What languages does Ali speak?

Ali speaks the following languages: Persian (Native), English (Advanced) .

Q: How many years of experience does Ali have?

Ali has at least 16 years of experience. During this time, Ali has worked in at least 8 different roles and for 8 different companies . The average length of individual experience is 2 years . Note that Ali may not have shared all experience and actually has more experience.

Q: What is Ali's latest experience?

Ali's most recent position is Principal Product Security Engineer at Payrails GmbH .

Q: What companies has Ali worked for in recent years?

In recent years, Ali has worked for Payrails GmbH , ScoutBee GmbH , NewStrore GmbH , Henkel AG , and Raisin GmbH .

Q: Which industries is Ali most experienced in?

Ali is most experienced in industries like Information Technology (IT) , Telecommunication , and Banking and Finance . Ali also has some experience in Chemical .

Q: Which business areas is Ali most experienced in?

Ali is most experienced in business areas like Information Technology (IT) , Project Management , and Research and Development (R&D) . Ali also has some experience in Operations , Quality Assurance (QA) , and Audit .

Q: Which industries has Ali worked in recently?

Ali has recently worked in industries like Information Technology (IT) , Banking and Finance , and Chemical .

Q: Which business areas has Ali worked in recently?

Ali has recently worked in business areas like Project Management , Research and Development (R&D) , and Information Technology (IT) .

Recommended expert

Berlin, Germany

Experience

Jul 2024 - Dec 2024

6 months

Principal Product Security Engineer

Payrails GmbH

Defined and executed a comprehensive security roadmap: integrated Shift-Left Security, CNAPP, and DevSecOps principles to streamline secure product development and reduce risk exposure.
Established a robust threat modeling framework: embedded security into design processes, enabling early identification of vulnerabilities and reducing potential risks.
Developed a scalable Vulnerability Management program: accelerated detection and remediation of new vulnerabilities, significantly shortening the risk response cycle.
Enhanced cloud and container security: leveraged advanced tools such as Tetragon to achieve deeper visibility and implement a defense-in-depth strategy.
Automated security controls within CI/CD pipelines: integrated security measures into the development lifecycle to maintain continuous delivery with robust safeguards.
Championed cross-functional collaboration: partnered with developers and infrastructure teams to prioritize threats and align remediation efforts, fostering a unified security culture.
Ensured regulatory compliance and audit readiness: collaborated closely with the InfoSec team to adhere to internal policies and successfully support audits for standards like PCI-DSS and SOC2.

Aug 2022 - Jun 2024

1 year 11 months

Principal Security Engineer

ScoutBee GmbH

Embedded secure development practices: collaborated with development teams to implement secure coding best practices and establish robust CI/CD guardrails, ensuring alignment with evolving security objectives.
Enhanced cloud security posture: worked with infrastructure and SRE teams to identify vulnerabilities and misconfigurations; introduced infrastructure as code scanning, Cloud-Native Application Protection Platforms (CNAPP), and policy as code, significantly improving cloud security and operational visibility.
Advanced threat mitigation training: conducted threat modeling and secure coding workshops, empowering teams to proactively identify and mitigate risks during design and development, thereby reinforcing a shift-left security mindset.
Integrated comprehensive security controls: led the incorporation of static application security testing (SAST), software composition analysis (SCA), IaC security scanning, policy as code (PaC), and dynamic application security testing (DAST) into CI/CD pipelines across four key projects, reducing remediation costs and turnaround times.
Implemented IAM/PAM and Zero Trust: designed and deployed an identity and access management (IAM) and privileged access management (PAM) solution to enforce least privilege access across infrastructure. Integrated Zero Trust architecture by implementing Just-in-Time (JIT) access, role-based access control (RBAC), multi-factor authentication (MFA), and continuous access monitoring to secure infrastructure access.
Reduced design vulnerabilities: facilitated targeted threat modeling exercises that decreased potential software vulnerabilities before development.
Optimized vulnerability management: directed penetration testing and vulnerability management programs in collaboration with development and operations teams, achieving improved time-to-resolution and enhancing overall product security.
Promoted a DevSecOps culture: championed shift-left strategies throughout the software development life cycle (SDLC), fostering early detection and remediation of threats and reducing security risks.
Ensured regulatory compliance: conducted comprehensive security assessments and audits for applications and infrastructure, maintaining strict adherence to standards such as ISO 27001, TISAX, SOC 2, and GDPR.

Feb 2022 - Jul 2022

6 months

Staff Security Engineer

NewStrore GmbH

Developed and implemented comprehensive application and API security strategies, incorporating secure coding practices along with robust authentication and authorization mechanisms.
Designed and deployed tailored security controls across cloud infrastructures, reinforcing the security posture for both AWS environments and Kubernetes deployments.
Directed extensive penetration testing and vulnerability management initiatives to proactively identify and remediate security gaps across applications, APIs, and supporting infrastructure.
Conducted thorough security assessments and audits to ensure continuous compliance with industry standards and regulatory requirements, including ISO 27001, SOC 2, and GDPR.

Sep 2021 - Feb 2022

6 months

Engineering Lead DevSecOps

Henkel AG

Integrated advanced DevSecOps technologies into CI/CD pipelines to strengthen application and infrastructure security, ensuring new services consistently adhere to security best practices.
Spearheaded comprehensive threat modeling sessions to proactively uncover security vulnerabilities in software designs, and developed effective countermeasures to mitigate risks.
Championed a shift-left strategy by collaborating with DevOps teams to embed security controls throughout the SDLC, fostering a culture of continuous improvement and heightened security awareness.

Jul 2019 - Aug 2021

2 years 2 months

Senior Security Engineer

Raisin GmbH

Conducted regular vulnerability assessments and penetration tests to uncover and remediate security weaknesses across applications, APIs, and infrastructure.
Designed and evaluated cloud and hybrid infrastructure solutions on Azure IaaS and PaaS, ensuring robust data protection and service continuity.
Applied threat modeling techniques to assess software designs and infrastructure, identifying potential security issues and implementing effective countermeasures.
Executed comprehensive security testing and code reviews within the SDLC, integrating SAST, SCA, and DAST tools into CI/CD pipelines to support a shift-left security strategy.
Collaborated closely with development, operations, and security teams to embed security practices into DevOps workflows, promoting a culture of continuous improvement and heightened security awareness.

Dec 2016 - Present

9 years 3 months

Open-Source Security Contributions

OWASP Foundation

Project Leader: OWASP DevSecOps Guideline – led the development and maintenance of a comprehensive guide for integrating security into DevOps practices, influencing the global security community.
Contributor: OWASP Mobile Security Testing Guide (MSTG) – contributed to the creation and refinement of a widely recognized framework for mobile application security testing.

Nov 2015 - Apr 2019

3 years 6 months

Red Team Tech Lead

MTN Irancell

Led vulnerability assessments and penetration testing initiatives to uncover and address security gaps across networks, applications, and systems.
Reviewed service architectures and conducted thorough threat modeling for critical services, designing effective countermeasures to protect data and services.
Developed and enforced comprehensive IT infrastructure security checklists for both new and existing systems to ensure adherence to regulatory and industry standards.
Engineered security tools and automation scripts that streamlined security processes and enhanced operational efficiency.
Contributed to the formulation and implementation of security policies, procedures, and standards aligned with industry best practices, thereby strengthening the organization's overall security posture.

Mar 2010 - Dec 2018

8 years 10 months

Penetration Tester

Freelancer

Conducted thorough web application penetration tests using tools such as Burp Suite, OWASP ZAP, and Nmap to identify vulnerabilities including XSS, SQL injection, and insecure authentication.
Executed extensive mobile application testing for iOS and Android platforms with MobSF, APK Analyzer, and Frida, uncovering issues like insecure data storage, flawed authentication, and weak encryption.
Compiled comprehensive vulnerability reports with detailed risk assessments and clear remediation recommendations, and effectively communicated findings to both technical and management teams.

Industries Experience

See where this freelancer has spent most of their professional time. Longer bars indicate deeper hands-on experience, while shorter ones reflect targeted or project-based work.

Experienced in Information Technology (16 years), Telecommunication (3.5 years), Banking and Finance (2.5 years), and Chemical (0.5 years).

Information Technology

Telecommunication

Banking and Finance

Chemical

Business Areas Experience

The graph below provides a cumulative view of the freelancer's experience across multiple business areas, calculated from completed and active engagements. It highlights the areas where the freelancer has most frequently contributed to planning, execution, and delivery of business outcomes.

Experienced in Information Technology (14.5 years), Project Management (9 years), Research and Development (9 years), Operations (2 years), Quality Assurance (2 years), and Audit (1 year).

Information Technology

Project Management

Research and Development

Operations

Quality Assurance

Audit

Summary

Accomplished Security Engineer with 10+ years across Telco, FinTech, Retail, and SaaS. I integrate robust security practices into software development through DevSecOps, threat modeling, penetration testing, and vulnerability management—bridging the gap between technical and business teams. As leader of the OWASP DevSecOps Guideline project and a regular industry speaker, I drive secure, cost-effective innovation and champion a culture of proactive application security.

Languages

Persian

Native

English

Advanced

Education

Oct 2011 - Jun 2013

jdeihe.ac.ir

Bachelor · Computer Software Engineering · Iran, Islamic Republic of

Oct 2006 - Jun 2009

jdeihe.ac.ir

Associate · Computer Software Engineering · Iran, Islamic Republic of

Profile

Created

January 2025

Last Update

April 2025

Need a freelancer? Find your match in seconds.

Try FRATCH GPT

Frequently asked questions

Do you have questions? Here you can find further information.

Where is Ali based?

Ali is based in Berlin, Germany and can operate in on-site, hybrid, and remote work models.

What languages does Ali speak?

Ali speaks the following languages: Persian (Native), English (Advanced).

How many years of experience does Ali have?

Ali has at least 16 years of experience. During this time, Ali has worked in at least 8 different roles and for 8 different companies. The average length of individual experience is 2 years. Note that Ali may not have shared all experience and actually has more experience.

What roles would Ali be best suited for?

Based on recent experience, Ali would be well-suited for roles such as: Principal Product Security Engineer, Principal Security Engineer, Staff Security Engineer.

What is Ali's latest experience?

Ali's most recent position is Principal Product Security Engineer at Payrails GmbH.

What companies has Ali worked for in recent years?

In recent years, Ali has worked for Payrails GmbH, ScoutBee GmbH, NewStrore GmbH, Henkel AG, and Raisin GmbH.

Which industries is Ali most experienced in?

Ali is most experienced in industries like Information Technology (IT), Telecommunication, and Banking and Finance. Ali also has some experience in Chemical.

Which business areas is Ali most experienced in?

Ali is most experienced in business areas like Information Technology (IT), Project Management, and Research and Development (R&D). Ali also has some experience in Operations, Quality Assurance (QA), and Audit.

Which industries has Ali worked in recently?

Ali has recently worked in industries like Information Technology (IT), Banking and Finance, and Chemical.

Which business areas has Ali worked in recently?

Ali has recently worked in business areas like Project Management, Research and Development (R&D), and Information Technology (IT).

What is Ali's education?

Ali holds a Bachelor in Computer Software Engineering from jdeihe.ac.ir and a Bachelor in Computer Software Engineering from jdeihe.ac.ir.